8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension
Reviewed-by: jnimeh, mullan
This commit is contained in:
parent
4f11ff325f
commit
8b95d9549e
src/java.base/share/classes/sun/security/provider/certpath
test/jdk
security/infra/java/security/cert/CertPathValidator/certification
sun/security/provider/certpath/Extensions
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -76,14 +76,16 @@ public final class OCSPNonceExtension extends Extension {
|
||||
*
|
||||
* @throws IOException if any errors happen during encoding of the
|
||||
* extension.
|
||||
* @throws IllegalArgumentException if length is not a positive integer.
|
||||
* @throws IllegalArgumentException if length is not in the range of 1 to 32.
|
||||
*/
|
||||
public OCSPNonceExtension(boolean isCritical, int length)
|
||||
throws IOException {
|
||||
this.extensionId = PKIXExtensions.OCSPNonce_Id;
|
||||
this.critical = isCritical;
|
||||
|
||||
if (length > 0) {
|
||||
// RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet
|
||||
// and can be up to 32 octets.
|
||||
if (length > 0 && length <= 32) {
|
||||
SecureRandom rng = new SecureRandom();
|
||||
this.nonceData = new byte[length];
|
||||
rng.nextBytes(nonceData);
|
||||
@ -91,7 +93,7 @@ public final class OCSPNonceExtension extends Extension {
|
||||
nonceData).toByteArray();
|
||||
} else {
|
||||
throw new IllegalArgumentException(
|
||||
"Length must be a positive integer");
|
||||
"Length of nonce must be at least 1 byte and can be up to 32 bytes");
|
||||
}
|
||||
}
|
||||
|
||||
@ -121,12 +123,13 @@ public final class OCSPNonceExtension extends Extension {
|
||||
* @param isCritical a boolean flag indicating whether the criticality bit
|
||||
* is set for this extension
|
||||
* @param incomingNonce The nonce data to be set for the extension. This
|
||||
* must be a non-null array of at least one byte long.
|
||||
* must be a non-null array of at least one byte long and can be up to
|
||||
* 32 bytes.
|
||||
*
|
||||
* @throws IOException if any errors happen during encoding of the
|
||||
* extension.
|
||||
* @throws IllegalArgumentException if the incomingNonce length is not a
|
||||
* positive integer.
|
||||
* @throws IllegalArgumentException if the incomingNonce length is not
|
||||
* in the range of 1 to 32.
|
||||
* @throws NullPointerException if the incomingNonce is null.
|
||||
*/
|
||||
public OCSPNonceExtension(boolean isCritical, byte[] incomingNonce)
|
||||
@ -135,13 +138,15 @@ public final class OCSPNonceExtension extends Extension {
|
||||
this.critical = isCritical;
|
||||
|
||||
Objects.requireNonNull(incomingNonce, "Nonce data must be non-null");
|
||||
if (incomingNonce.length > 0) {
|
||||
// RFC 8954, section 2.1: the length of the nonce MUST be at least 1 octet
|
||||
// and can be up to 32 octets.
|
||||
if (incomingNonce.length > 0 && incomingNonce.length <= 32) {
|
||||
this.nonceData = incomingNonce.clone();
|
||||
this.extensionValue = new DerValue(DerValue.tag_OctetString,
|
||||
nonceData).toByteArray();
|
||||
} else {
|
||||
throw new IllegalArgumentException(
|
||||
"Nonce data must be at least 1 byte in length");
|
||||
"Nonce data must be at least 1 byte and can be up to 32 bytes in length");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -83,7 +83,10 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
String ocspSubject;
|
||||
String ocspIssuer;
|
||||
String ocspSerial;
|
||||
boolean ocspNonce;
|
||||
}
|
||||
private RevocationProperties rp;
|
||||
private static final int DEFAULT_NONCE_BYTES = 16;
|
||||
|
||||
RevocationChecker() {
|
||||
legacy = false;
|
||||
@ -99,7 +102,7 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
void init(TrustAnchor anchor, ValidatorParams params)
|
||||
throws CertPathValidatorException
|
||||
{
|
||||
RevocationProperties rp = getRevocationProperties();
|
||||
rp = getRevocationProperties();
|
||||
URI uri = getOcspResponder();
|
||||
responderURI = (uri == null) ? toURI(rp.ocspUrl) : uri;
|
||||
X509Certificate cert = getOcspResponderCert();
|
||||
@ -198,6 +201,8 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
= Security.getProperty("ocsp.responderCertSerialNumber");
|
||||
rp.crlDPEnabled
|
||||
= Boolean.getBoolean("com.sun.security.enableCRLDP");
|
||||
rp.ocspNonce
|
||||
= Boolean.getBoolean("jdk.security.certpath.ocspNonce");
|
||||
return rp;
|
||||
}
|
||||
}
|
||||
@ -712,6 +717,13 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
|
||||
currCert.getSerialNumberObject());
|
||||
|
||||
byte[] nonce = null;
|
||||
for (Extension ext : ocspExtensions) {
|
||||
if (ext.getId().equals(KnownOIDs.OCSPNonceExt.value())) {
|
||||
nonce = ext.getValue();
|
||||
}
|
||||
}
|
||||
|
||||
// check if there is a cached OCSP response available
|
||||
byte[] responseBytes = ocspResponses.get(cert);
|
||||
if (responseBytes != null) {
|
||||
@ -721,12 +733,6 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
response = new OCSPResponse(responseBytes);
|
||||
|
||||
// verify the response
|
||||
byte[] nonce = null;
|
||||
for (Extension ext : ocspExtensions) {
|
||||
if (ext.getId().equals(KnownOIDs.OCSPNonceExt.value())) {
|
||||
nonce = ext.getValue();
|
||||
}
|
||||
}
|
||||
response.verify(Collections.singletonList(certId), issuerInfo,
|
||||
responderCert, params.date(), nonce, params.variant());
|
||||
|
||||
@ -740,9 +746,43 @@ class RevocationChecker extends PKIXRevocationChecker {
|
||||
null, -1);
|
||||
}
|
||||
|
||||
List<Extension> tmpExtensions = null;
|
||||
if (rp.ocspNonce) {
|
||||
if (nonce == null) {
|
||||
try {
|
||||
// create the 16-byte nonce by default
|
||||
Extension nonceExt = new OCSPNonceExtension(DEFAULT_NONCE_BYTES);
|
||||
|
||||
if (ocspExtensions.size() > 0) {
|
||||
tmpExtensions = new ArrayList<Extension>(ocspExtensions);
|
||||
tmpExtensions.add(nonceExt);
|
||||
} else {
|
||||
tmpExtensions = List.of(nonceExt);
|
||||
}
|
||||
|
||||
if (debug != null) {
|
||||
debug.println("Default nonce has been created in the OCSP extensions");
|
||||
}
|
||||
} catch (IOException e) {
|
||||
throw new CertPathValidatorException("Failed to create the default nonce " +
|
||||
"in OCSP extensions", e);
|
||||
}
|
||||
} else {
|
||||
throw new CertPathValidatorException("Application provided nonce cannot be " +
|
||||
"used if the value of the jdk.security.certpath.ocspNonce system " +
|
||||
"property is true");
|
||||
}
|
||||
} else {
|
||||
if (nonce != null) {
|
||||
if (debug != null) {
|
||||
debug.println("Using application provided nonce");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
response = OCSP.check(Collections.singletonList(certId),
|
||||
responderURI, issuerInfo, responderCert, null,
|
||||
ocspExtensions, params.variant());
|
||||
rp.ocspNonce ? tmpExtensions : ocspExtensions, params.variant());
|
||||
}
|
||||
} catch (IOException e) {
|
||||
throw new CertPathValidatorException(
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2019, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8232019
|
||||
* @bug 8232019 8256895
|
||||
* @summary Interoperability tests with LuxTrust Global Root 2 CA
|
||||
* @build ValidatePathWithParams
|
||||
* @run main/othervm -Djava.security.debug=certpath LuxTrustCA OCSP
|
||||
@ -173,6 +173,7 @@ public class LuxTrustCA {
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
|
||||
System.setProperty("jdk.security.certpath.ocspNonce", "true");
|
||||
ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
|
||||
|
||||
if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8243320
|
||||
* @bug 8243320 8256895
|
||||
* @summary Interoperability tests with SSL.com's RSA, EV RSA, and ECC CA
|
||||
* @build ValidatePathWithParams
|
||||
* @run main/othervm -Djava.security.debug=certpath SSLCA OCSP
|
||||
@ -47,6 +47,7 @@ public class SSLCA {
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
|
||||
System.setProperty("jdk.security.certpath.ocspNonce", "true");
|
||||
ValidatePathWithParams pathValidator = new ValidatePathWithParams(null);
|
||||
boolean ocspEnabled = false;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -23,7 +23,7 @@
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8046321
|
||||
* @bug 8046321 8256895
|
||||
* @summary Unit tests for OCSPNonceExtension objects
|
||||
* @modules java.base/sun.security.provider.certpath
|
||||
* java.base/sun.security.util
|
||||
@ -192,6 +192,12 @@ public class OCSPNonceExtensionTests {
|
||||
throw new RuntimeException("Accepted a zero length nonce");
|
||||
} catch (IllegalArgumentException iae) { }
|
||||
|
||||
// Length of the nonce exceeds the maximum 32 bytes
|
||||
try {
|
||||
Extension bigLenNonce = new OCSPNonceExtension(33);
|
||||
throw new RuntimeException("Accepted a larger than 32 bytes of nonce");
|
||||
} catch (IllegalArgumentException iae) { }
|
||||
|
||||
// Valid input to constructor
|
||||
Extension nonceByLen = new OCSPNonceExtension(32);
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user